Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47638 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress By Vcita | 2025-05-16 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Reflected XSS.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.6. | |||||
| CVE-2024-7891 | 1 Just-a-web-developer | 1 Floating Contact Button | 2025-05-16 | N/A | N/A |
| The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-7955 | 1 Squirrly | 1 Starbox | 2025-05-16 | N/A | N/A |
| The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-7846 | 1 Yithemes | 1 Yith Woocommerce Ajax Search | 2025-05-16 | N/A | N/A |
| YITH WooCommerce Ajax Search is vulnerable to a XSS vulnerability due to insufficient sanitization of user supplied block attributes. This makes it possible for Contributors+ attackers to inject arbitrary scripts. | |||||
| CVE-2025-4547 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2025-05-16 | N/A | 4.8 MEDIUM |
| A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Add User Page. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Multiple parameters might be affected. | |||||
| CVE-2025-48113 | 2025-05-16 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Broadstreet Broadstreet allows Stored XSS. This issue affects Broadstreet: from n/a through 1.51.8. | |||||
| CVE-2025-48112 | 2025-05-16 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages allows Reflected XSS. This issue affects Dot html,php,xml etc pages: from n/a through 1.0. | |||||
| CVE-2025-48121 | 2025-05-16 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Puddick WP Notes Widget allows DOM-Based XSS. This issue affects WP Notes Widget: from n/a through 1.0.6. | |||||
| CVE-2025-48080 | 2025-05-16 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash allows Stored XSS. This issue affects Uncanny Toolkit for LearnDash: from n/a through 3.7.0.2. | |||||
| CVE-2025-48131 | 2025-05-16 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite allows Stored XSS. This issue affects UltraAddons Elementor Lite: from n/a through 2.0.0. | |||||
| CVE-2025-46464 | 2025-05-16 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scripteo Ads Pro Plugin allows Stored XSS. This issue affects Ads Pro Plugin: from n/a through 4.88. | |||||
| CVE-2025-47557 | 2025-05-16 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG allows Stored XSS. This issue affects MapSVG: from n/a through 8.5.31. | |||||
| CVE-2025-0785 | 1 Esafenet | 1 Cdg | 2025-05-16 | N/A | 6.1 MEDIUM |
| A vulnerability was found in ESAFENET CDG V5 and classified as problematic. This issue affects some unknown processing of the file /SysConfig.jsp. The manipulation of the argument help leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-31140 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | N/A | 6.1 MEDIUM |
| In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page | |||||
| CVE-2025-26493 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | N/A | 6.1 MEDIUM |
| In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab | |||||
| CVE-2025-46618 | 1 Jetbrains | 1 Teamcity | 2025-05-16 | N/A | 6.1 MEDIUM |
| In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab | |||||
| CVE-2025-40632 | 2025-05-16 | N/A | N/A | ||
| Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to modify the “lastLogin” cookie with malicious JavaScript code that will be executed when the page is rendered. | |||||
| CVE-2024-26152 | 1 Humansignal | 1 Label Studio | 2025-05-16 | N/A | 6.1 MEDIUM |
| ### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability. ### Details Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1. ### PoC 1. Create a project.  2. Upload a file containing the payload using the "Upload Files" function.   The following are the contents of the files used in the PoC ``` { "data": { "prompt": "labelstudio universe image", "images": [ { "value": "id123#0", "style": "margin: 5px", "html": "<img width='400' src='https://labelstud.io/_astro/images-tab.64279c16_ZaBSvC.avif' onload=alert(document.cookie)>" } ] } } ``` 3. Select the text-to-image generation labeling template of Ranking and scoring   4. Select a task  5. Check that the script is running  ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering. | |||||
| CVE-2022-34021 | 1 Resiot | 1 Iot Platform And Lorawan Network Server | 2025-05-16 | N/A | 5.4 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities in ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 via the form fields. | |||||
| CVE-2025-22465 | 1 Ivanti | 1 Endpoint Manager | 2025-05-16 | N/A | 6.1 MEDIUM |
| Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required. | |||||